Pages

Sunday, September 30, 2012

Earlier this month, before the Senate adjourned for the electioneering
break, Sen. Klobuchar (D,MN) introduced S 3560, the Cloud Computing Act of 2012.
The bill would specifically add attacks against cloud computing services to the
federal computer offences listed in 18
USC §1030.

Cloud ICS Not Covered

The current wording of the bill would not specifically
address attacks against control systems operating in the cloud. The key to this
lack of coverage is two definitions being added by §2(b)(3) to §1030(e); ‘cloud
services’ and “cloud computing account”. The ‘services ‘term is defined as “a
service that enables convenient, on-demand network access to a shared pool of
configurable computing resources (including networks, servers, storage,
applications, and services) that can be rapidly provisioned and released with
minimal management effort or interaction by the provider of the service”. This
definition could probably apply to ICS computing services in the cloud.

The limiting term deals with the cloud computing account.
The term ‘cloud computing account’ means “information stored on a cloud
computing service that requires a password or similar information to access and
is attributable to an individual”. While it could be argued that ‘information
stored’ could include information that forms the instructions in a cloud-based
control system, the requirement that the information be ‘attributable to an
individual’ clearly excludes cloud-based ICS.

This lack of ICS coverage is further emphasized in the
additional language that is added to §1030 as sub-paragraph (k) that states if
one of the computer offenses currently listed in the section is conducted
against a computer that “ is part of a cloud computing service, each instance
of unauthorized access of a cloud computing account, access in excess of
authorization of a cloud computing account, or attempt or conspiracy to access
a cloud computing account without authorization or in excess of authorization
shall constitute a separate offense” {§2(a) }. Nothing in that description can
reasonably be construed to involve an industrial control system.

To be fair to Ms. Klobuchar and her staff, there has not yet
been a large movement of control systems to the cloud. It does seem apparent to
the casual observer, however, that it is only a matter of time before there will
be significant control system applications located in the cloud. If Congress intends
to provide criminal sanctions on attacks against the cloud, the wording ought
to be inclusive enough to address such services.

A simple wording change to ‘each instance of unauthorized
access of a cloud computing account or
cloud computing service’ should suffice.

Other Provisions

It would be truly impressive if a Senator could write a
simple bill that accomplished a single purpose, but it doesn’t happen here.
There are three additional provisions that deal with international cooperation
and federal cloud computing procurement forecasting.

Section 4 of the bill requires the Secretary of State to
work with international agencies (the actual wording in the bill is ‘international
fora’; how quaint) “to advance the aims of ensuring interoperability between
the provisions of this Act, the amendments made by this Act, and other laws and
policies of the United States and foreign countries”. Such a vaguely worded
requirement is no requirement at all.

Section 5 does kind of follow-up that requirement with the
inevitable requirement for another study. This one requires the Secretary of
State to “conduct a study on international cooperation regarding data privacy,
retention, and security” {§5(a)(1)}. There is, of course, a requirement to
present the results of this study to the Congress. This again reinforces the
intention of this bill to only address information security, not ICS security.

These two sections of the bill do provide a sort of a
logical extension of the legal definition of cloud computing offenses outlined earlier
in the bill. The only relation the final section of the bill has to the named
purpose of the bill is that it also refers to cloud computing. In this case,
however, it is a requirement for each agency of the federal government to
provide a “3-year forecast of the plans of the agency relating to the
procurement of cloud computing services and support relating to such services”
{§6(b)}.

Moving Forward

The introduction of this measure so late in the
session calls into question if it was ever really intended to pass. If the
Congress is going to take up any cybersecurity measure in the post-election
lame duck session it is unlikely to be this one. This may be just another one
of the multitude of bills that were introduced this month to further a
re-election campaign.

On Friday the Office of Management and Budget approved two
rules dealing with the US bioterrorism prevention program, one from HHS/CDC
and the other from USDA.
Both rules deal with the biennial review of select agents and toxins.

Select Agent and Toxin List

The USDA rule would amend and republish the list of select
agents and toxins that have the potential to pose a severe threat to animal or
plant health, or to animal or plant products. It based on the relative
potential of each select agent or toxin to be misused to adversely affect
human, plant, or animal health implements the findings of the third biennial
review of the list. The rule reorganizes the list based on the relative
potential of each select agent or toxin to be misused to adversely affect
human, plant, or animal health. This tiering of the list would allow for the
risk-based structuring of security measures.

Security Measures

The HHS/CDC rule also updates the Select Agent and Toxin
list based upon an interdepartmental review. It also implements the
requirements of EO
13546, Optimizing the Security of Biological Select Agents and Toxins
(BSAT) in the United States, to review, tier, and reduce the Select Agent List;
establishing personal reliability standards for BSAT workers; and establishing
physical security standards for identified Tier 1 select agents and toxins.

Not Homeland Security Related

The OMB makes one of the silliest statements that I have
seen in a government publication in a long time in their action notice for each
of these rules (HHS/CDC
and USDA).
On their standard notification format there is a question to be answered by
OMB; “Related to Homeland Security”. In both instances the answer is “No”. The
whole purpose of these two rules is to ensure that no one steals or diverts any
of the select agents or toxins to be used as terrorist weapons. This is clearly
established in§3(a) of the Executive
Order: “The use of BSAT presents the risk that BSAT might be lost, stolen, or
diverted for malicious purpose.” And what better malicious purpose than a
terrorist WMD attack.

The only thing that I can figure is that someone at OMB is making
a simplistic response to that question; since the rule was not filed by DHS,
then it couldn’t be related to Homeland Security. Needless to say that would be
the height of bureaucratic simplemindedness. Hopefully this mistake was one made
by an administrative minion not someone with decision making authority.

Moving Forward

Both rules were approved ‘Subject to Change’ so I suspect
that there will be a little time lag for those ‘minor corrections’ required by
OMB to be made to the documents. Typically these take a couple of weeks, but
that would mean that they would be published in the Federal Register during the
‘October Surprise’ period of a presidential campaign. If the politicians at the
White House feel that there is anything even slightly controversial in these
rules, I would suspect that they would be further delayed until after November
6th; no sense giving the opposition any unnecessary ammunition in a
very close election.

BTW: I hope that HHS/CDC does a better job of writing
risk-based security performance standards than DHS/ISCD did.

Saturday, September 29, 2012

The Commerce Department’s Bureau of Industry and Security
published an information collection request (ICR) renewal notice in the Federal
Register (77 FR 59891-59892)
on Monday (available on the Internet today) for the submission of declarations,
reports and inspections required by the Chemical Weapons Convention Implementation
Act of 1998 and Commerce Chemical Weapons Convention Regulations (CWCR).

The current ICR (0694-0091)
expires 02/28/2013 and there are no changes in this renewal request. The
numbers provided in this request are:

• Estimated Number of Respondents:
816.

• Estimated Time per Response: 10
minutes--12 hours per response.

• Estimated Total Annual Burden
Hours: 16,047.

• Estimated Total Annual Cost to
Public: $41,740.

Public comments may be submitted via email to Jennifer
Jessup (JJessup@doc.gov). Comments need to
be submittedby November 30, 2012.

NOTE: Most of the facilities required to submit Schedule 1
and 2 reports under this program will also be covered under the CFATS program.

Yesterday DHS ICS-CERT published an advisoryfor the Emerson DeltaV service based upon a
coordinated disclosure by Kuang-Chun Hung of the Security Research and Service
Institute-Information and Communication Security Technology Center (ICST). The advisory
concerns a buffer overflow vulnerability that could allow a relatively low
skilled attacker to send a specially crafted string to a specific (but unnamed)
port that could crash the system.

Emerson has crafted a hot fix for the problem that has been verified
to be effective by ICST. According to the advisory (which was published earlier
on the US-CERT restricted portal) Emerson contacted system owners with a
notification about the problem and solution. This is the first time that I have
seen an advisory note that the vendor directly communicated a vulnerability to
system owners; I would like to think that ICS-CERT has simply overlooked
mentioning this fact in other cases. If that is not the case, Emerson deserves
special kudos for this action and hopefully this starts a trend.

Friday, September 28, 2012

DHS published a notice in today’s Federal Register (77 FR 59627)
announcing that the Homeland Security Advisory Council (HSAC) will be holding a
public teleconference on October 3rd, 2012. The HSAC will discuss
the report of the Cyber Skills Task Force during this teleconference.

Late Notice

The Federal Advisory Committee Act requires 15-days notice
for these types of meetings. The announcement justifies the short notice by
stating that:

“This notice of the teleconference meeting
of the HSAC is published in the Federal Register with less than 15 days' due to
the complexity of the issue, the task force was not able to complete its report
within this aggressive time line in time for deliver to the HSAC at its
September 24-25 meeting. Waiting for the full 15 day notice period to conduct
the teleconference will delay the discussion of the report to a period of time
that will prevent the Secretary from meeting with the HSAC to review the report
due to her travel schedule.”

Interestingly there was no mention of this report in the notice
for the meeting earlier this week, so it would seem that the HSAC knew back
on September 7th that this teleconference would be required. Even
more interesting is the fact that there is no mention of a Cyber Skills Task
Force on the HSAC web
site. Nor was there mention of this task force in the minutes of the last two
meetings of the HSAC.

Public Participation

The public will be allowed to participate in the
teleconference in the ‘listen-only’ mode. People wishing to so participate must
register with the HSAC via email at HSAC@dhs.gov
or via phone at (202) 447-3135. Copies of the task force report will be
provided to registrants at the time of registration. Written comments on the
topic may be posted to the Federal eRulemaking Portal (www.Regulations.gov; Docket # DHS-2012-0064)
though that docket had not yet been established as of 6:00 am EDT this morning.
Both registration and the submission of written comments must be accomplished
by 5:00 pm EDT on September 30th (please note that that is this
Sunday and I would be very surprised if anyone will be answering the phones at
HSAC on Saturday or Sunday).

Irreverent Question

There is nothing in this notice that would so indicate, but
I wonder… Would this Cyber Skills Task Force report be in anyway linked to the
much rumored ‘Cybersecurity Executive Order’ that is apparently imminent?

Yesterday DHS ICS-CERT published an updated Joint Security
Awareness Report (JSAR) on Shamoon and an advisory for an Optimalog vulnerability
reported last year by Luigi.

Shamoon

US-CERT/ICS-CERT updated their earlier
advisory on Shamoon. The new
version adds almost three pages of mitigation measures that organizations
can take to protect themselves (actually only reduce their vulnerability) against
a Shamoon attack. The JSAR divides the mitigations into ‘tactical’ and ‘strategic’
measures. The measures are an interesting mixture of the common (‘Ensure that
password policy rules are enforced…’), the old school (‘Execute daily backups
of all critical systems.’) and new form (‘the whitelisting of legitimate
executable directories…’) security measures. Implementing all of the
recommended actions will require a lot of work, particularly training.

There still isn’t anything in the JSAR that reports any specific
ties of the Shamoon to control systems. Of course with the small number of
reported infections it is hard to tell exactly what may or may not be at risk.
At this point this is a low probability high consequence threat. That makes one
question the need to spend the time and money to implement the listed
mitigations. I guess that’s what CSO’s get the big money for.

Optimalog Vulnerability

Last November ICS-CERT published an
alert based upon an uncoordinated
disclosure by Luigi for the Optima APIFTP Server system. Yesterday ICS-CERT
published an
advisory on the twin vulnerabilities; a null pointer dereference and a loop
with unreachable exit condition. ICS-CERT reports that a relatively unskilled attacker
could use the publicly available exploit to remotely execute a denial of
service attack.

Optimalog has released a new version that no longer installs
the APIFTP server by default. If the APIFTP is
to be used, Optimalog recommends configuring “the firewall and VPN accordingly”.
There is no link to any Optimalog document or site that details that ‘accordingly’.

This advisory mentions Luigi’s
uncoordinated disclosure but does not provide links to Luigi’s web page
describing the vulnerability. Nor does it actually mention the original alert.
The latter is unusual, but I thought that ICS-CERT had finally gotten it
through their collective head that they had an obligation to give appropriate credit
to the intellectual property that forms the basis of their report. Reid
Wightman got credit last week, but Luigi doesn’t this week. I’m starting to see
a pattern here; Digital Bond and the Washington Post carry enough weight to
demand acknowledgement, an independent researcher doesn’t.

Thursday, September 27, 2012

“The NPRM concerning the use of
TWIC readers has been developed and is currently going through high-level
approval and review.”

The TWIC Reader rule is still going through the DHS approval
process and has yet to be sent to the Office of Management and Budget for its
review. The OMB approval process can be quite lengthy (most rules, about 75%,
take at least 90 days to receive OMB approval).

Midnight Rule Making

There is another factor that could slow the approval process
even further; the midnight rule controversy. At the end of a presidential
administration there is a tendency to try to complete work on rulemaking
processes so that the outgoing administration can put their final stamp on the
regulatory process. When there is any controversy surrounding the potential
rules the opposition cries foul, maintaining that the new administration should
be the one to have approval of the regulatory action as they will be the ones
tasked with enforcing the rules.

The Clinton and Bush administrations were both accused of
using the midnight rule making process to further their agenda, but both
actually put internal rules in place to minimize the amount of rulemaking that
was completed in the last months of their administrations. Now the Obama
administration may or may not be around for an additional four years (the
election is still way to close to call) so it wouldn’t be fair for us to expect
a formal announcement of avoiding midnight rule making, but it appears that an
unofficial policy may be in place.

OMB Rule Submissions

The table below shows the rules that the Administration has
officially submitted to OMB during 2012; all data current as of yesterday
according to the Office
of Information and Regulatory Affairs (OIRA) web site. The ‘Completed’
columns show the number of rules submitted during that month upon which OMB has
completed their action. The ‘Incomplete’ column shows the number of rules
submitted during that month that still have actions pending.

Completed

Incomplete

Submitted

Jan

45

14

59

Feb

38

8

46

Mar

44

12

56

Apr

28

9

37

May

25

19

44

Jun

15

11

26

Jul

17

10

27

Aug

10

17

27

Sep

3

9

12

Looking at this data it appears that the Obama
Administration has taken unofficial steps to reduce the potential appearance of
midnight regulating in the event that the President is not re-elected in
November. If he is re-elected I would bet that there is a surge of rules
submitted to OMB and a similar increase in the rate of approval of regulations
by that agency (for example there are 28 EPA rules currently under review at
OMB).

TWIC Reader Rule

Given the above information, I would not be surprised to see
the TWIC Reader Rule still pending approval come year end. If Obama is not
re-elected in November I would suspect that the rule would not go to the OMB
before January 21st, 2013. If he is re-elected the rule would be
expected to go to OMB in November and not be approved until after the first of
the year.

Wednesday, September 26, 2012

Last week before the Senate took their extended election
break Sen. Lieberman (I,CT) introduced S
3564, the Public Interest Declassification Board Reauthorization Act of 2012.
The bill reauthorizes the PIDB that was initially established by the Intelligence
Authorization Act for Fiscal Year 2001 (PL
106-567; Title VII) to advise the President “on the systematic, thorough,
coordinated, and comprehensive identification, collection, review for
declassification, and release to Congress, interested agencies, and the public
of declassified records” {PL 106-567 §703(b)(1)}.

Lieberman’s bill makes two minor changes to the provisions
for appointing members of the PIDB. More importantly it would extend the
authorization of the PIDB from December 27th 2012 until 2018.

It’s odd that this bill was introduced this late in the
session; there is no way that this can be taken up before the election and it
seems to be too low a priority program to take up much time during the lame
duck session. Normally I would expect that this is one of the many bills
introduced during the last week before the election adjournment that were meant
only to be introduced for electioneering purposes. That is unlikely in this
case as Lieberman is retiring at the end of the 112th Congress.

The other odd thing about this bill is that it wasn’t
introduced by someone on the Senate Intelligence Committee; that is where the
bill originally came from. But not only was it introduced by Lieberman, but it
was also referred to the Senate Homeland Security and Governmental Affairs Committee,
not the intel folks.

I have no explanation for these oddities; I just point them
out. This bill will probably be taken up as a unanimous consent bill during the
lame duck session. I hope this bill does pass; the more people working at
declassifying outdated or misclassified material the better off the government
will be in the long run.

Today DHS announced in the Federal Register (77 FR 59203-59204)
that the Critical Infrastructure Partnership Advisory Council would be holding
a public meeting on October 3rd, 2012 in Washington, D.C. CIPAC
represents a partnership between the Federal Government and critical
infrastructure owners and operators and provides a forum in which they can
engage in a broad spectrum of activities to support and coordinate critical
infrastructure protection.

Agenda

This meeting will focus on efforts to enhance critical
infrastructure resiliency. Topics will include:

• Physical and Cyber Critical
Infrastructure Protection;

• Industrial Control Systems
Security;

• Opportunities in Mitigating Aging
U.S Infrastructure;

• Social Media's Role in Critical Infrastructure;
and

• Critical Infrastructure Program
Updates

It is interesting to see that ICS security is receiving
special mention as a topic separate from cybersecurity. This is extremely
unusual for a general topic advisory panel such as this. Since this is an open
forum I wouldn’t expect that there will be anything new mentioned on threat
information, but it will be interesting to see how industry representatives
approach this topic in this venue.

Public Participation

The public is invited to observe the Council’s
deliberations. Advance registration to attend is not required; there will be
registration at the door. Public oral comments on the topics above will be
limited to a 30 minute public comment period at the end of the meeting, with
each speaker being limited to 3 minutes. Speaker order will be determined by
registration sequence.

Apparently there are no provisions being made to web cast
this meeting; DHS certainly needs to work on this area of their information
sharing. Opening the CIPAC meetings to a wider audience would do much to
alleviate publicly expressed concerns about this panel being a method of giving
special interests (industry) private access to DHS>

Written comments on the topics may be submitted via the
Federal eRulemaking Portal (www.Regulations.gov;
Docket # DHS-2012-0051).

Monday, September 24, 2012

I received three
anonymous comments today about last
night’s post about ICS-CERT alerts. Well, they were probably the same
comments three times trying to ensure that I got the information. The comments
were a list of ICS-CERT alerts for the Luigi vulnerability disclosures that I
mentioned in that blog post. I have gone back and confirmed that not only were
the alerts posted, but I commented on them in my blog.

Oh, well, I get stupid every once in a while. Somehow I
missed them in my file search yesterday. My apologies to ICS-CERT and my
readers. And thanks to my readers for pointing out the error.

There was one Luigi disclosure that wasn’t given an alert,
but even Luigi noted on his web site that the system was only marginally
related to control systems so ICS-CERT apparently decided that it did not fall
within their purview.

Okay, so my Luigi examples are full of c**p. That makes the Reid
Wightman disclosures even more of an anomaly. Why was there the almost
three month delay between Wightman’s disclosure of the ORing vulnerability and
the ICS-CERT Advisory? And why did ICS-CERT ignore the second disclosure in the
same blog posting?

There is a fourth comment on the same blog post by another
Anonymous reader that kind of obliquely mentions the US-CERT secure portal
where properly vetted owners can sometimes access advisories when the vendor
publishes the mitigation or patch before the vulnerability is made public. But
that is a separate matter as it appropriately give system owners the ability to
patch their systems before the 0-day is disclosed to the public.

Sunday, September 23, 2012

Last week I did a blog
posting about an ICS system security report from ICS-CERT about vulnerability
that had been publicly disclosed back in June. I noted in that post that such a
public disclosure would normally have been expected to be reported shortly
after the disclosure as an alert. It wasn’t done in this case nor was a second
system vulnerability that was included in the same public disclosure mentioned
by DHS.

A while back, I’m not sure exactly when as I didn’t pay too
much attention, ICS-CERT changed their vulnerability
notification process page. The added the following notice:

“UPDATE! In cases where a vendor is
unresponsive, or will not establish a reasonable timeframe for remediation,
ICS-CERT may disclose vulnerabilities 45 days after the initial contact is
made, regardless of the existence or availability of patches or workarounds
from affected vendors.”

Reading over the remainder of the page I don’t see any
mention of alerts vs advisories; truth be told though, I don’t know if there
ever was such a mention on the page. A close reading of the page does seem to
indicate that ICS-CERT intends to give all vulnerability disclosures,
coordinated and otherwise, at least 45 days for the vendor to convince ICS-CERT
that they are working hard on fixing the problem.

Now this seems to track with the time frame on the Reid
Wightman disclosure that formed the basis for the ORing Industrial
Networking advisory and would explain why the other vendor mentioned in Reid’s
post on DigitalBond.com did not have an advisory published for their nearly
identical vulnerability; the second vendor convinced ICS-CERT that they were
working on a mitigation/patch strategy.

A single data point, however, doesn’t make for good
analysis. Trying to figure out where I could get additional data points, I
decided to go the Luigi’s web site since he is
such a prolific vulnerability discloser. Sure enough, since June 1st
Luigi has posted five disclosures on his web site that have yet to make it to
the ICS-CERT site. They include:

Now we all know that the fine folks at ICS-CERT follow Luigi
fairly closely. They have publicized all of his uncoordinated disclosures in
the past; usually within a day of their being posted on his web site. It is too
much to think that they have stopped following Luigi now, so it looks like the
days of alerts are over.

In one way it seems like a good thing to treat researchers
the same whether or not they coordinate their disclosures. It does, however,
put user’s at a disadvantage. The earlier ICS-CERT policy ensured that there
was one point that the average owner/operator could monitor for word when there
was an uncoordinated disclosure of a vulnerability. This allowed them to take
at least some precautions to protect their systems while the vendor was working
on a patch to correct the problem.

Without the early warnings provided by ICS-CERT Alerts
owners are put at a distinct disadvantage. Black hats certainly share the
information found in these public posts, particularly the proof-of-concept
exploits that typically accompany the publication of the vulnerabilities (they
certainly do for Luigi’s vulnerabilities).

So the bad boys get to have a 45 day head start on owner
operators; essentially a 45-day 0-day exploit. Oh, and it’s not just the one
researcher or organization that has the 0-day, it’s everyone that has access to
the researcher’s site. Maybe the folks at ICS-CERT need to re-examine their new
policy.

On Friday the Senate took up HR
2838, renamed it the ‘Coast Guard Authorization Act of 2012’ and changed
almost every provision of the bill, including increasing the authorized funding
and manpower for the Coast Guard. This was one of a large number of bills that
were passed by unanimous consent without debate. HR 2838 had to be discharged
from committee consideration (again by unanimous consent) to be brought to the
floor for this ‘vote’.

As was to be expected the language adopted by the Senate is
more closely related to S
1665, the Senate version of the authorization bill. Having said that, there
were significant changes made to the version of S 1665 that was reported by the
Senate Commerce, Science, and Transportation Committee. None of these changes
were debated anywhere in the Senate.

Nothing in this new bill addresses anything that deals with
chemical transportation safety or security or the Maritime Transportation
Security Act. The one provision that came close to addressing those issues (GPS
interference) that was included in the House version of the bill is
completely missing from this version.

This bill will probably be taken up by conference committee
after the election. Post-election politics will have a significant influence on
the outcome, if there is one, of that conference.

This CR will generally increase spending on current programs
by 0.612% {§101(c)} and will continue funding of the federal government until
March 27, 2013 {§106}. Section 137 provides for a separate moderate increase in
funding for certain cybersecurity programs in DHS NPPD. Section 139 of the bill
specifically provides for the extension of the CFATS program and there are no
funding restrictions included that would affect the CFATS program.

Friday, September 21, 2012

Today the Pipeline and Hazardous Material Safety
Administration (PHMSA) published a 30-day notice in the Federal Register (77 FR 58616-58622)
of their intent to revise certain pipeline safety reporting requirements. This
is a follow-up to the earlier
60-day information collection request (ICR) notice and includes responses
to the unusual number of public comments on the proposed changes.

Public Comments

Typically ICR notices do not receive much in the way of
public comments. This proposal however received 12 such comments. Copies of the
public comments can be reviewed on the Federal eRulemaking Portal (www.Regulations.gov; Docket # PHMSA-2012-0024).
Commentors included:

Of the remaining comments two were supportive of theINGAA comments and four were supportive of
the AGA.

The Comments

The individual comments and responses are really too
numerous to mention in a blog posting (this does take up 6 pages of the Federal
Register). I will list the separate reports covered and the total number of
comments received on each

• Annual Report for Gas
Transmission and Gathering Systems – 26

• Gas Transmission Pipeline and
Gathering Systems Incident Report – 4

• Hazardous Liquid Pipeline Systems
Accident Report – 10

PHMSA agreed with some of the comments and made appropriate
revisions on the forms. Some comments they disagreed with, but made clarifying
changes to the forms or instructions anyway. And still others they disagreed with and let the
forms stand as proposed.

Administrative Change

I noted in my earlier blog post that PHMSA was not
requesting an extension of the expiration of the current ICR; just revising the
forms. That statement can be found at. That may have changed; the new wording
is not as clear as that in the original notice.

The original notice said:

“PHMSA is only requesting approval
of the information collection changes addressed in this notice. The information
collection for hazardous liquid accident reports (OMB control number 2137-0047)
is scheduled to expire December 31, 2013, and the information collection that
covers gas transmission annual reports and incident reports (OMB control number
2137-0522) is scheduled to expire January 31, 2014. In 2013 [emphasis added],
PHMSA will solicit comments on all aspects of these information collections,
including the forms, in accordance with the standard PRA renewal process.” (77 FR 22389).

This notice states:

“The following information is
provided for each revised information collection: (1) Title of the information
collection; (2) OMB control number; (3) Type of request; (4) Abstract of the
information collection activity; (5) Description of affected public; (6)
Estimate of total annual reporting and recordkeeping burden; and (7) Frequency
of collection. PHMSA will request a three-year term of approval for each information
collection activity. PHMSA is only focusing on the revisions detailed in this
notice and will request revisions to the following information collection
activities.” (77 FR 58622)

This will be made more clear when the actual request is made
to OMB, but that may be too late for any additional comments on the general
renewal of the ICR to be made.

Public Comments

Public comments on the revisions (or non-revisions) can be
submitted to the Office of Management and Budget (OMB). Comments may be
submitted by email (OIRA_Submission@omb.eop.gov)
and must be submitted by October 22nd, 2012.

Yesterday the Senate passed one more hurdle on the way to an
actual vote on HJ Res 117, the Continuing Appropriations Resolution, 2013 by a
somewhat bipartisan vote
of 67-31. This should mean that there will be an actual vote today on the
measure but there is an interesting
election year fight going on in the Senate that might delay a vote (and the
subsequent election adjournment) through the weekend.

Again, this is important to the chemical security community
because the CR includes a six month extension of the CFATS program and slightly
increases the funding for that program (and essentially the whole government)
during that period.

Thursday, September 20, 2012

Yesterday the Senate agreed to a cloture motion to allow
consideration of HJ Res 117, the Continuing Appropriations Resolution, 2013.
This procedural vote clears the last hurdle in allowing the Senate to vote on
this measure, probably today. The vote of 76-22 in favor of cloture is a pretty
sure sign that the measure will pass.

Just a reminder that passage of this continuing resolution
will continue the CFATS program through at least March 27th, 2013
with a slightly increased rate of funding.

Yesterday DHS ICS-CERT published two advisories for control
systems vulnerabilities and the “Roadmap to Secure Control Systems in the
Transport Sector”. The advisories deal with another self-reported Siemens
problem and a new ‘we-don’t-see-it’ vulnerability; this time in the ORing
Industrial DIN-Rail Device Server 5042/5042+ systems

The Roadmap

Last year the DHS CSSP and the DOT John A Volpe National Transportation
Systems Center joined together to sponsor the Transportation Roadmap Working Group
to develop a roadmap for cybersecurity of control systems in the Transportation
Sector. The group consisted of representative from a variety of transportation
related government agencies and private sector organizations.

This is a 56
page document and will take some digesting before I can provide any real
analysis of its usefulness, but I will quote here from the forward to provide
the Working Group’s perspective on what this document is supposed to be.

“The Roadmap to Secure Control
Systems in the Transportation Sector (Transportation Roadmap) describes a plan
for voluntarily improving industrial control systems (ICSs) cybersecurity
across all transportation modes: aviation, highway, maritime, pipeline, and
surface transportation. This Transportation Roadmap provides an opportunity for
transportation industry experts to offer input concerning the state of control
systems cybersecurity and to communicate recommended strategies for
improvement. This Transportation Roadmap brings together transportation
stakeholders from all modes, including government agencies and asset owners and
operators, by offering a common set of cybersecurity goals and objectives, with
associated metrics and milestones for measuring performance and improvement
over a ten-year period.”

Interestingly only six of the eighteen member of the working
group come from the private sector; two reps from one shipping line, one
industry group (public transportation), an aircraft manufacturer (well ‘formerly’
from Boeing) and representatives from the two transportation related
Information Sharing and Analysis Centers (ISACS). The three non-federal
government agencies all come from California and two of those from Los Angeles.
At first glance this hardly seems to represent ‘all transportation modes’.

Siemens Vulnerability

The Siemens
advisory concerns the latest in a number of self-reported
control system vulnerabilities. This one deals with an insecure HTTPS
certificate storage vulnerability in Siemens’ S7-1200 PLC. A moderately skilled
attacker can obtain the private key for the HTTPS certificate authority for the
PLC and use it to create a forged certificate to conduct a man-in-the-middle
attack on the browser communicating with the PLC.

Since the PLC also has a properly protected private key used
to dynamically generate its own certificate the recommended mitigation is to
(pg 2) “uninstall the CA signing keys from the Web browser’s certificate store”
FOR EACH PLC (sorry for yelling, but are you kidding me? How many PLCs does
your system use?). Oh yes, then you have to (pg3) “manually confirm the identity
of the PLC and accept its certificate via the browser” FOR EACH PLC.

Okay, kudos again to Siemens for self-reporting this, but this
was really poor design. Damned if this isn’t going to be a major headache for
systems engineers.

NOTE: The Siemens-CERT notes that this vulnerability was
discovered by ‘a researcher’. Naming that researcher might have encouraged
other researchers to contact Siemens with future vulnerabilities rather than
publicly disclosing them.

Slam Another Uncooperative Vendor

ICS-CERT takes on
another uncooperative vendor, this time ORing Industrial Networking is labeled
as an ‘unresponsive’ vendor over a reported vulnerability in their DIN-Rail
Device Server. Reid
Wightman reported (NOTE: ICS-CERT did publish this link in the advisory - kudos) the
hard-coded credential vulnerability.

I am kind of confused though. Reid’s post on DigitalBond.com
is dated June 13th (and addresses two different devices from two
different manufacturers). Typically this should have resulted in an alert (or two) about
the publicly identified vulnerability and this advisory should be the follow-up
to that document. There was no alert published that I can see.

A relatively unskilled attacker could remotely use the publicly
available exploit to gain administrative access to the device. In the absolute best
understatement of the year ICS-CERT explains that this “could result in a loss
of availability, integrity and confidentiality” (pg 1).

Other vendors please note one last caveat emptor quote from
the advisory (pg 3):

“ICS-CERT is not aware of ORing
Industrial Networking developing a patch, update, or fix for the affected
products. The ORing software update Web site does not indicate that a new
version of firmware or security patch is available.”

Wednesday, September 19, 2012

This is the another in a series of blog posts about
presentations made at the recent 2012 Chemical Sector Security Summit. The
first in the series dealt with the problems associated with the presentations
in general. The subsequent posts will deal with the information provided in the
slide presentations. The published presentations only provide the outline, I’ll
try to fill in what information that I can from other sources or my best
guesses.

This post will look at the application of the CFATS program
at educational institutions. The presentation was made by Brad Huntsman of
ISCD. Since the first draft of the CFATS regulations DHS has made it clear that
they expected that there would be portions of educational facilities that would
fall under the CFATS definition of a high-risk chemical facility, including
laboratories and physical plant operations. This brief presentation looks at
how many such facilities actually made it onto the current list of high-risk
chemical facilities regulated under CFATS.

Coverage

The CFATS regulations require any facility that has had in
the last 60-days an inventory of any of 300+ DHS chemicals of interest (COI; Appendix
A, 6 CFR Part 27) in excess of the listed screening threshold quantity
(STQ) to submit a Top Screen to provide DHS with the initial information needed
to determine if a facility could potentially be regulated under the CFATS
program. Slide # 3 of the presentation notes that the following areas of educational
facilities could be affected by this Top Screen submission requirement (Note:
This is not an exhaustive list):

• Chemistry labs;

• Research facilities;

• Field houses;

• Pool complexes; and

• Agricultural, medical, and other
campus facilities

Slide #4 provides the following data on the number of Top
Screen submissions and subsequent status under the CFATS rules:

• 324 Top Screen submissions;

• 60 Regulated high-risk chemical
facilities; and

• 8 Pending final status
determination.

After each potentially regulated facility submits a
subsequent Security Vulnerability Assessment (SVA) ISCD makes a final
determination if the facility is a covered facility and places it into one of
four risk tiers ranking its potential risk for terrorist attack; Tier 1 is the
highest tier ranking. Slide #4 also provides data on the tier rankings of the
60 regulated educational facilities.

• 1 Tier 1 facility;

• 17 Tier 2 facilities;

• 6 Tier 3 facilities; and

• 36 Tier 4 facilities.

There is nothing in the presentation that explains why there
is a Tier 1 facility on this list, but I would suspect that it is due to the
presence of a large amount of a toxic inhalation hazard chemical (probably
chlorine or anhydrous ammonia) at a campus support facility though it could be
due to the presence of relatively small amounts of actual chemical weapons
grade materials at a research lab. The Tier 4 facilities are probably due to
the significant presence of theft-diversion chemicals in campus labs or
research facilities; these would be due to chemicals that could be used to make
improvised explosives or chemical weapons.

Defining Covered Facilities

Because an educational institution is regulated under CFATS
does not mean that the entire facility is placed under strict security
controls. This would be patently untenable for an entire college or university
to be placed under the type security measures necessary to comply with the
Risk-Based Performance Standards for high-risk chemical facilities.

As do all chemical facilities, these schools have the option
of just what portion of their campus will be included in the boundaries of the reported
facility. In fact, the 60 CFATS covered facilities are located at only 45
different schools. This means that some number of schools have multiple covered
facilities within their campus.

Educational Security Measures?

It does not appear that Mr. Huntsman provided any
information about how the Department expected these facilities to go about
adequately security their facilities. The presentation includes a generic page
that deals with “CFATS Outreach to Colleges and Universities” but it provides
no real information other than mentioning “DHS has created outreach materials”
(a tri-fold brochure that can be accessed on the CFATS Knowledge Center web
page. Sorry no permanent link is available; go to ‘page 2’ of the Documentation
section at the bottom left of the page) for such institutions.

Because of the problems that ISCD is having with their Site
Security Plan approval process, I would suspect that, other than the one Tier 1
facility, they have not given a lot of thought to the process of how schools
should go about securing their high-risk chemical facilities.

Yesterday the DHS ICS-CERT published another web browser (no
not IE9) advisory,
this time with Fultek WinTR (a Turkish web based SCADA system). The directory
traversal vulnerability was reported by Daiki Fukumori of Cyber Defense
Institute. Fultek has not verified the vulnerability (ICS-CERT has) and has not
offered any mitigations (since they don’t have a problem why should they fix
it).

The Vulnerability

This is an increasingly common (read: it is being increasing
reported) vulnerability (CVE-2012-3011)
in SCADA/ICS web browsers. The web server does not adequately sanitize user
inputs allowing relatively unskilled attackers to retrieve arbitrary files from
the server. There is nothing in this advisory that describes the limits of what
files could be retrieved.

Denying Vulnerabilities

As far as I can tell this is the first time the ICS-CERT has
published an advisory for a vulnerability that the vendor has denied exits.
There have been alerts and advisories where the researcher blew the whistle in
the situation, but not one where ICS-CERT called out the vendor. I think that
this is a good move on their part for a number of reasons. First it makes it
easier for ICS-CERT to convince researchers to coordinate their disclosures.
Second, and maybe most important in my opinion, is that it provides a little
more pressure on recalcitrant vendors to respond more promptly to fix the
vulnerabilities identified.

Tuesday, September 18, 2012

Last week the House Homeland Security Committee submitted their
report on HR 2356, the WMD Prevention and Preparedness Act of 2011. None of
the information presented in the report deal with the threat of chemical weapon
attacks based upon terrorist attacks on chemical facilities that could release
huge volumes of toxic inhalation hazard chemicals in or near large metropolitan
areas.

Leadership Delays

While there continues to be bipartisan support for this
limited WMD legislation, the leadership of the House continues to put road
blocks in the way of the consideration of this bill. First the Committee
leadership took over four months to complete action on their report,
guaranteeing that floor action could not take place on the floor of the House
before the election.

The three other Committees to which this bill was referred {Committees
on Energy and Commerce, Transportation and Infrastructure, Foreign Affairs, and
Intelligence (Permanent Select)} have not taken action on the bill. The House
leadership extended their deadlines to consider the bill until November 30th,
2012. If that were not enough to ensure that no action will be taken on this
bill during this session, an additional Committee (House Committee on Science,
Space, and Technology) was added to the list of Committees to which the bill
was referred.

Ignores Industrial Chemical Weapons

I have long maintained that this bill spends too much time
concentrating on potential bioweapons, weapons that have as yet not been
employed by nation-states, much less terrorists. These potential weapons should
certainly be addressed, but ignoring the much easier to employ class of WMD,
industrial chemicals, makes little or no sense.

While the CFATS program does address a security at a fraction
of the potential facilities holding large quantities of industrial chemicals
that could be used as improvised chemical munitions a large number of such
facilities have been exempted from the strict security standards of that
program. More importantly, however, the CFATS program ignores the emergency
response and post-incident clean up requirements that are addressed in this
bill for potential bioweapons.

Perhaps the 113th Congress will be able to more
appropriately address the potential problems of the whole range of potential
weapons of mass destruction and prioritize the efforts of that program based
upon the likelihood of the employment of the various types of weapons.

Joel Langill made an important
point last week in a TWEET about my original OIP personnel problem post. He
said that these problems were “not
good in light of potential exec order!” Since NPPD would presumably be the DHS
agency that would be responsible for any program set forth in a cybersecurity
executive order, these problems might be expected to crop up in the responsible
agency. We certainly don’t want the cybersecurity jobs to be “given to
those in favor with senior IP leadership without regard to process or to
qualifications”.

So, Secretary Napolitano, please tell us that the DHS agency
given responsibility for carrying out the President’s CSEO will be staffed by
professionals that will be chosen based upon their experience and ability not on
who they know. And don’t say ‘of course’, your agency does not have a real good
track record.

A little over a week ago I
did a post on some personnel issues in NPPD’s Office of Infrastructure
Protection that were identified to me in a copy of an email sent to the DHS IG.
As one would expect I have had problems finding someone in DHS that would talk
with me about these issues on the record. Even off the record no one wants to
provide any details about the alleged improprieties in OIP.

I have, however, been told by a former senior staffer from
Infrastructure Protection that these types of allegations are not new. That
former staffer notes:

“Jobs are given to those in favor
with senior IP leadership without regard to process or to qualifications. Many
if not most of the difficulties with IP programs can be traced to unqualified
managers and distraught employees whose morale has been shattered by these
shenanigans.”

Apparently formal complaints to the Office of the Chief
Human Capital Officer of DHS go back at least 5 years. Supposedly there have
been numerous specific complaints to the DHS Inspector General that have gone
nowhere. Complaints have even been made to members of Congress with no apparent
results. Everyone seems to want to sweep the problems under rug.

We
saw last week in a Congressional oversight hearing that Congress pays
little or no attention to the root cause of the problems at CFATS. It seems to
me that these types of personnel issues are a sign of the underlying problem
with the CFATS program and other programs being run by the Office of
Infrastructure Protection.

Someone needs to start asking some hard questions of the
management of NPPD. Congress will have another chance to redeem itself in its
oversight responsibility on
Thursday when the Homeland Security Subcommittee of the House Appropriations
Committee has Deputy Undersecretary Spaulding before it in a resumption of its
CFATS hearing. Maybe they will take the opportunity to ask some hard questions
about the personnel issues that have led to the problems at ISCD.

The Senate Judiciary Committee updated
their web site today on their threat hearing that I mentioned in an earlier
blog. The updated information includes witness list for the hearing and a change
in the location. Somehow I got the date for the hearing wrong in my earlier
blog, it will be held on Wednesday instead of the earlier reported Thursday.

Witnesses

There will be two witness panels for this hearing and
neither of them have much in common with the Homeland Security Committee’s
panel. The first panel will be government witnesses, including:

• Daryl Johnson, Founder &
Owner, DT Analytics, LLC; and
• James B. Jacobs, New York University School of Law

Hate Crimes

This hearing will be more focused on hate crimes than
terrorism threats. These can still serve as the basis for attacks on high-risk
chemical facilities if the perpetrator can find some link, even if only in his
mind, between his hate and the facility. Facility security managers may still
find some bits of intel here worth the price of admission.

Monday, September 17, 2012

This is the another in a series of blog posts about
presentations made at the recent 2012 Chemical Sector Security Summit. The
first in the series dealt with the problems associated with the presentations
in general. The subsequent posts will deal with the information provided in the
slide presentations. The published presentations only provide the outline, I’ll
try to fill in what information that I can from other sources or my best
guesses.

Today I will address the presentation made by Matthew
Bettridge of DHS ISCD on the CFATS
Personnel Surety Program. The PSP is supposed to address the requirement of
§27.230(a)(12)(iv) that requires high-risk chemical facilities to include in
their personnel surety programs “measures designed to identify people with
terrorist ties”. Currently the only federally acceptable way to identify such
people is to compare a person’s identity against the Terrorist Screening
Database (TSDB) administered by the Transportation Security Administration.

DHS Does Not Grant/Deny CFATS Access

As currently set forth in RBPS
#12 and the CFATS regulations, ISCD does not intend to administer a program
like the TSA TWIC or HME. There is no regulatory standard for access to CFATS
facilities similar to the ones found in those programs. CFATS facility
management will be the one to decide what standards must be met in the general
background checks to be conducted by the facility. The only regulatory requirement
is that the facility must submit information (what information has yet to be
established) to ISCD to allow TSA to conduct a check against the TSDB. There is
not even a prohibition against a person who is listed on the TSDB as a
suspected terrorist being given unaccompanied access to critical areas of a high-risk
chemical facility.

Previous Attempt at PSP

The presentation takes two slides to try to clarify the
proposed requirements of the PSP that was recently withdrawn from consideration
by the Office of Management and Budget (OMB). The OMB must sign-off on the
program because it collects and processes information supplied by the public
and the OMB is tasked to ensure that such information collection requests are
lawful, necessary, and minimally invasive. How much of that previously proposed
PSP will be contained in the new program that has yet to be developed remains
to be seen.

The New Proposal

Under Secretary Beers recently
told a Congressional Sub-committee that the Department will publish the new
proposal within 30 days. Given that short time frame (and reasonably that means
that the final draft has to be circulating for review within NPPD), it is kind
of surprising that there was so little information in this presentation about
what ISCD intended to include in their new proposal.

Actually, there was only one new item floated in this
presentation (unless Bettridge talked about others that were not in the slide).
That was to allow the use of TWIC readers in lieu of submitting personally
identifiable information to ISCD/TSA. If this does come about, ISCD will have a
TWIC reader ‘rule’ in place before the Coast Guard (I know TSA and CG have
already done the hard work, but it will be ironic in any case).

Use of the TWIC

If this clearly authorized use of the TWIC reader is
included in the final CFATS PSP it is going to have its upsides and downsides.
Truck drivers with either a TWIC or HME (I think that TWIC readers should
recognize HME’s but I’m not positive; anyone want to chime in here?) will have
a delivery edge at CFATS facilities, but it will also increase the number of
truck drivers that are going to have to try to get a TWIC (and many won’t be
able to because of criminal records) as CFATS security managers begin to
require drivers to have TWICs to enter their facility. This is going to put
driver’s at places away from TWIC Enrollment Centers at even more of a
disadvantage.

Facilities wishing to go to the TWIC for their PSP are going
to have problems with the same criminal conviction problem that is going to be
facing truck drivers. Many owners have been willing to overlook some criminal
convictions that TSA will not let slide because they know the worker involved
or are willing to take the risk for a variety of reasons. Sliding the whole PSP
responsibility to TSA will force a number of people out of the chemical
workplace.

Finally, if there is a large-scale move to using TWIC
Readers for PSP purposes at CFATS facilities the need for processing a large
number of new applications is going to coincide with a large number of renewals
of current TWIC users. This could create the same kind of back log in the
system that we saw in the early days of the initial issuance of the TWIC.

PSP Approval

Unless ISCD requests emergency approval of their new PSP
information collection request (ICR) it is going to take at least six months
for the approval process to move forward. Here is what I see as an absolute ‘best
case’ approval

• February 11, 2013 – Close public
comment period on 30-day notice and submit ICR to OMB

• March 11, 2013 – OMB gives
approval of ICR

Actually I think that the ‘best case’ is, as is usual,
unobtainable. Unless there is a very dramatic change in the PSP proposal, there
will be extensive public comments on both ICR notices and responding to those
will delay any subsequent work on the ICR. If Romney wins in November, the
change in management at DHS will also slow the approval process. Finally, the
screwed up budget process will also weigh down all processes in the Executive
Branch.

I will be happily surprised if we have an
operational PSP in place by this time next year.

About Me

Patrick Coyle is a freelance writer dealing with chemical security and safety issues. He has 15 years experience in the US Army with extensive experience in training development, delivery and evaluation. He spent 20 years working in the chemical process industry developing and improving chemical manufacturing processes with a large emphasis on chemical and process safety. He currently writes a daily blog, the Chemical Facility Security News, examining the issues associated with the Chemical Facility Anti-Terrorism Standards administered by the Department of Homeland Security.